Mandatory data breach notification scheme

Cybercrime and its potential impact on business operations is well understood today with reports about data breaches, malware attacks and email scams of all kinds making the the news almost daily.

Businesses with websites, and that’s just about every business, hold data and information about customers. This sensitive information is at serious risk of being accessed by cyber criminals following a malicious cyber attack that results in data breach.

The cost to Australian business of data breach is staggering, numbering in the tens of millions of dollars, as detailed in a 2017 report produced by the security division of IBM.

What was once mainly a problem for big business now encompasses small and medium businesses of every description with service providers at the top of the list of industries targeted.

Recent legislation means that it is now mandatory for any affected business to report a data breach to the government and its customers.

If a business suspects they have been subject to a data breach, they will be required to carry out an assessment within 30 days. If there are then reasonable grounds to believe a data breach has occurred, the business will need to notify the Australian Privacy and Information Commissioner, as well as all the affected individuals.

The government believes the new scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that the public and private sectors respond to serious data breaches. It will also give individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.